CPW has previously covered the long-running Sonic cybersecurity litigations.

As readers will recall, in 2017 unidentified third parties accessed Sonic customers’ payment card data.  The hackers purportedly obtained customer payment card information from more than three-hundred Sonic Drive-Ins.  Litigation followed, which was consolidated into multidistrict litigation (“MDL”).  In the consolidated complaint filed in the MDL, Sonic customers alleged that their personal information had been exposed to criminals and was at risk of future misuse.  Some of the customers alleged that they had been victims of identity theft and fraudulent charges had been placed on their accounts—which they attributed to the data breach.  Additionally, claims were also filed against Sonic on behalf of various financial institutions.  Although the litigation concerning consumer claims settled for $4.3 million in 2018, the financial institution disputes remain ongoing.

Last month Sonic moved for summary judgment, arguing that the fact the cyber event at issue was attributable to its point-of-sale vendor precluded liability in this case.  On Monday, Plaintiffs filed their opposition briefing.  In it they argued that Sonic played a “central role in affirmatively creating the vulnerabilities exploited during the [data event] establishes its duty” under applicable state law.

Interestingly in this case—and underscoring the role a forensic report can play in a cybersecurity litigation—both Plaintiffs and Sonic point to facts contained in a forensic report prepared following the cyberattack at issue as supporting their legal arguments on summary judgement.  Presumably this report was produced earlier in the litigation during the discovery process.

As argued by Sonic, “[b]ecause each Sonic Drive-In restaurant has a free-standing network environment that operates independently of the Sonic Corporate Defendants, each Sonic Drive-In restaurant takes orders and processes payments independently of others, and, more importantly, independently of Sonic Corporate.”  Moreover, as asserted by Sonic, “[p]oint-of-sale (POS) systems used by franchisees for taking orders and electronic payments are provided by third party POS vendors, and those third-party point-of-sale solutions are supported, managed, and serviced by the third-parties that built and provided them, not Sonic corporate.”  (emphasis in original).  To the extent there were “contributing factors” to the data event at issue, Sonic argued responsibility for those thus lies with a third-party vendor, not Sonic.

To boil down Sonic’s legal argument—without any evidence showing affirmative conduct committed by Sonic that exposed Plaintiffs to harm, Sonic has no liability.

Plaintiffs—relying on the same forensic report as Sonic—tell a different story.  According to Plaintiffs, “Sonic created an insecure, non-two factor authenticated remote access account for its point-of-sale (“POS”) vendor.”  Additionally, the third-party vendor referenced in Sonic’s brief (according to Plaintiffs) is not a cybersecurity vendor and provides no cybersecurity services.  Instead, it provides merely a POS system “in a collection of hardware, software, and devices that make up Sonic’s proprietary payment systems.”

Whether the court agrees with Plaintiffs’ or Sonic’s characterization of the facts remains to be seen.  Due to the technical considerations and legal issues implicated by this litigation, it remains one to closely watch going forward.  Not to worry-CPW will be there to keep you informed of developments as they occur.  Stay tuned.